Johannesburg, 06 Aug 2004
Why are there so many security issues in the software world? The answer is not as simple as pointing the finger at operating systems and off-the-shelf software packages. Security problems also manifest themselves through applications that have been developed in-house without taking cognisance of the dangers of the electronic world from the outset.
There are very talented, dedicated and patient hackers with ready access to the equipment and information they need to disrupt an application either for theft, to cause disruption, or simply to demonstrate their skills. Only by designing and developing applications with security in mind from the start can developers make it difficult for external people to compromise them.
This is because security is often only considered at the end of the application development process. Traditional measures of success for developers revolve around delivering a better end-user experience: building applications that deliver firstly on functionality, then on performance. Add to this the fact that developers, and often the project sponsors, prefer to concentrate on delivering cool user interfaces or useful features and it can be seen why security is only considered at the end of the process - by which stage, it is difficult or even impossible to rectify code issues.
This lack of focus on security has to change. With the release of the Electronic Communications and Transactions Act and an increasing focus on data security and data privacy, producing an application that potentially gives hackers access to your client`s information could result in serious problems for your business - over and above the disruption to operations and loss of productivity that results from compromised business systems.
It`s a simple fact that it is difficult to build secure applications. Secure code requires extra effort, along with a detailed knowledge of Windows vulnerabilities and how to properly code to protect against them. Many developers may simply lack the experience to pinpoint areas of vulnerability and be unable to fix them.
The answer to this quandary lies in automating the development of an application to be secure from design. Just like rapid application development environments have been designed to automate many tasks for the developer, they can also automate security aspects to help create applications that deliver on all the aspects vital to businesses - functionality, performance, reliability AND security.
There are several stages in the development process where security should be applied. After requirements definition, analysis and design, writing code is the most important place at which to start. This first phase is the least expensive stage of the application lifecycle in which to get security right, and during coding the developer is in the best position to identify and address potential security flaws.
Finding security holes once the application has been written and built is more costly and presents a significant challenge, but the problems tend to be better understood, allowing automation to detect and help resolve these vulnerabilities more easily.
There are an almost infinite number of code implementations that can result in security weaknesses and it is unlikely that any single developer can even know about a significant number of them. That means that applications will almost certainly have security holes. Automating the identification and diagnosis of security weaknesses during development will mean less security risks and mean the production applications that will not compromise client information or the business systems that contribute to productivity.
Share